The present invention relates to an apparatus for checking an error recognition functionality of a memory circuit, in particular in the field of chip cards or smartcards, which are employed in sensitive areas, for example, and thus may be subject to attacks.
In sensitive areas concerning security, various technical protective measures are employed. These protective measures enable, for example, users to access certain computer systems, authorized persons to be permitted access to certain areas blocked for the public, or also to access secured information, such as private keys within the scope of a public key cryptography method, bank data, or credit card information. The authorized user, i.e. the authorized user of a computer system or also a person authorized to access a non-public area, for example, often obtains a chip card with a security controller identifying the user as authorized to a security system. A security controller is a microcontroller that may for example be employed on a chip card for monitoring security functions.
Such security systems and security circuits, for example including chip cards, already are subject to attacks, which are to be fended off by various countermeasures on the part of the security circuits, because of the value of the goods, information and privileges protected thereby. The functionality of the countermeasures has previously been checked by so-called UmSLC (user mode sensor life control) modules. Apart from corresponding supply circuits and evaluation circuits, the central components of the countermeasures have previously been sensors supposed to recognize the attacks. Among the sensors are voltage sensors, frequency sensors, temperature sensors and light sensors, for example. In order to check the functionality of the countermeasures, i.e. the functionality of the various sensors, their supply circuits, and the associated evaluation circuits, the sensors and/or their associated components were adjusted or stimulated by the UmSLC module so that an alarm was triggered. However, the triggered alarm was not judged to be an attack, in other words, this alarm was not switched effectively, but it was only checked whether it was generated at all. If the alarm did not take place within the scope of such a test, the UmSLC module assumed a manipulative attack having rendered the sensor inoperative. In such a case, the UmSLC module may itself generate and output an alarm signal, which may lead to the security controller of a chip card and/or the CPU (central processing unit) of the security controller being stopped, destroying or deleting sensitive information, or causing a reset of the security controller.
New countermeasures now are no longer or no longer exclusively based on analog sensors, which recognize changes in the environmental conditions or in the operating conditions of the security components concerned (for example of a security controller), but also comprise logic measures supposed to recognize changes in information, which is stored in the security controller, for example. Conventional UmSLC modules therefore no longer meet these requirements.
FIG. 2 shows a block circuit diagram of a possible solution of a memory circuit 800 with an error recognition functionality or EDC (error detection code) functionality. The memory circuit 800 is coupled to a bus 810, via which the memory circuit 800 can communicate with further components of a security controller, which includes the memory circuit 800. Via the bus 810, for example data signals, control signals, status signals and command signals may thus be exchanged between the memory circuit 800 and other components of the security controller, for example a CPU, an input/output module, or a cryptoprocessor. The memory circuit 800 is connected to the bus 810 via a memory control unit or a memory controller 820. The memory controller 820 is further connected to a memory matrix 850 via a plurality of row selection lines 830, also referred to as word lines, and via a plurality of column selection lines 840, also referred to as bit lines or input/output lines. The memory controller 820 is further coupled to an EDC module 860 via an internal data line and an error signal line. The EDC module 860 is further coupled to an EDC memory controller 870. An EDC memory matrix 880 is connected to the EDC memory controller 870 via a plurality of word lines 890 and a plurality of bit lines 900.
In the following, the functioning of the memory circuit 800 will be explained at the example of a read access. If the memory circuit 800 or the memory controller 820 receives the command to read out a certain memory address via the bus 810, the memory controller 820 accesses the memory matrix 850 via a row converter and a column converter the memory controller 820 includes via the plurality of word lines 830 and reads out a datum stored in the memory matrix 850 under the certain address via the plurality of bit lines 840. Thereupon, the memory controller 820 communicates the datum DA as well as the memory address underlying the datum DA to the EDC 860 via the internal data line. The EDC module 860 requests a corresponding checksum or check value, which is for example stored under the same address in the EDC memory matrix, from the EDC memory controller 870. To this end, the EDC memory controller 870 drives the EDC memory matrix 880 via the plurality of word lines 890 and obtains the checksum associated with the datum DA, which the EDC memory controller 870 communicates to the EDC module 860, via the plurality of bit lines 900. The EDC module 860 also calculates a checksum from the datum DA and compares it to the stored checksum. If both checksums satisfy a predetermined relation with respect to each other, i.e. if they match, for example, the EDC module 860 does not communicate an error signal FS (FS=Fehlersignal=error signal) via the error signal line. However, if both checksums do not satisfy the predetermined relation with respect to each other, i.e. if they do not match, for example, the EDC module 860 communicates an error signal FS via the error signal line to the memory controller 820, which may then for example forward the error signal FS to the CPU via the bus 810.
As memory, both read-only memories, i.e. for example ROM (read-only memory) memories, and memories that enable reading and writing accesses may be employed. Examples for the latter memories are RAM (random access memory) memories, non-volatile memories (NVM), such as flash memories or EEPROM (electrically erasable programmable read-only memory) memories, or also cache memories. Depending on the memory type used, the communication of the memory with other components, such as the CPU, does not necessarily take place via a bus, as it is shown in FIG. 2, but via another data link.
If the memory type permits a writing access to the memory circuit 800, this takes place in similar manner. In this case, the memory controller 820 drives the plurality of word lines 830 and the plurality of bit lines 840 so that the datum to be stored is stored at a memory location associated with a certain address. Moreover, the memory controller 820 communicates both the datum DA and the associated address to the EDC module 860. The EDC module 860 calculates a checksum from the datum and directs the EDC memory controller 870 to store the checksum under the address in the EDC memory matrix 880 by drives the plurality of word lines 890 and bit lines 900.
For calculating the checksum of a datum, various methods or algorithms may be employed here. The checksum frequently consists of a simple parity bit or a CRC (cyclic redundancy check) checksum or also a hash value, as it may be calculated with the algorithm MD5, MD2, or RIPEMD-160, for example.
Within the scope of an attack on the memory circuit 800, an attacker may for example try disrupting the EDC module 860 and hence also the error recognition functionality by a physical attack, maybe in form of targeted back-etching of selected regions of the chip including the memory circuit 800, and by applying electrical voltages or voltage pulses to certain regions of the chip. Hereby, the attacker may for example manipulate the content of the memory matrix 850 so that this manipulation cannot be recognized anymore. As a result, for example, a program code causing a microcontroller also included in the chip to give away actually secret data may be written into the memory 800. The above-described sensors are indeed basically suited for detecting a corresponding attack on the error recognition functionality of the memory circuit. Yet, these sensors are always sensitive to a certain set of attacks only.